Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
The Internet Privacy Technology

Comcast DNS Redirection Launched In Trial Markets 362

An anonymous reader writes "Comcast has finally launched its DNS Redirector service in trial markets (Arizona, Colorado, New Mexico, Oregon, Texas, Utah, and Washington state), and has submitted a working draft of the technology to the IETF for review. Comcast customers can opt-out from the service by providing their account username and cable modem MAC address. Customers in trial areas using 'old' Comcast DNS servers, or non-Comcast DNS servers, should not be affected by this. This deployment comes after many previous ISPs, like DSLExtreme, were forced to pull the plug on such efforts as a result of customer disapproval/retaliation. Some may remember when VeriSign tried this back in 2003, where it also failed."
This discussion has been archived. No new comments can be posted.

Comcast DNS Redirection Launched In Trial Markets

Comments Filter:
  • malware (Score:5, Insightful)

    by sopssa ( 1498795 ) * <sopssa@email.com> on Thursday July 09, 2009 @02:40PM (#28640155) Journal

    Another great press release about how it will be helpful and a "service" for users, while the main purpose is just to gather extra advertisement revenue (while breaking internet standards). I mean, this is what malware do. Oh well, atleast these non-us ISP's dont do such dirty acts to their customers here. Time to voice your opinion maybe?

    • Re:malware (Score:5, Funny)

      by Shakrai ( 717556 ) on Thursday July 09, 2009 @02:51PM (#28640317) Journal

      while breaking internet standards

      What are those? The last RFC that I read was titled "How to make the largest pile of cash while providing the least amount of service". I think it's RFC666 and is the one that most modern day ISPs seem to operate under.....

      • Re:malware (Score:5, Funny)

        by Anonymous Coward on Thursday July 09, 2009 @03:37PM (#28641033)

        I tried to find this RFC, but when i opened the page, it redirected me to some 404 search page for my ISP.

    • Re: (Score:3, Interesting)

      by xvx ( 624327 )
      Comcast is great. So I pay them for an internet connection, the price won't go down, and they get extra advertising revenue from there users. How long will it be until they start injecting ads into websites?
      • Re:malware (Score:5, Insightful)

        by jank1887 ( 815982 ) on Thursday July 09, 2009 @03:09PM (#28640621)

        modern corporate culture demands profit growth. not just continued profit, but growth of profits. how do you expect that to happen in a saturated market?

        • You over-exploit the natural and human resources of the area where you operate, strip it bare, then move on to the next one?

          The problem is that the "next area" is another planet, and we kinda lack the technology to get there for now...

        • Re:malware (Score:5, Insightful)

          by MrMr ( 219533 ) on Thursday July 09, 2009 @03:19PM (#28640767)
          Have the government outlaw your product?
        • Re:malware (Score:5, Informative)

          by dimeglio ( 456244 ) on Thursday July 09, 2009 @03:54PM (#28641293)

          Easy, through innovation and distinct added value. Shouldn't take a rocket scientist to figure it out but apparently it does. Recently, our ISP decided to offer a brand new service allowing you to double your bandwidth simply by adding another DSL line. Guess what, they are now the fastest growing ISP in Canada.

          Schemes like DNS redirection are a scam and should be banned unless they contain no advertising or indirect revenue generation whatsoever.

    • Re:malware (Score:4, Insightful)

      by basementman ( 1475159 ) on Thursday July 09, 2009 @03:26PM (#28640851) Homepage
      How is this different from OpenDNS? OpenDNS shows ads if your page can't be found. That said I much prefer my ISPs ad free DNS service to OpenDNS.
      • > How is this different from OpenDNS?

        One actively chooses to use OpenDNS. You get your ISP's servers by default.

      • Re:malware (Score:5, Informative)

        by sopssa ( 1498795 ) * <sopssa@email.com> on Thursday July 09, 2009 @03:34PM (#28640967) Journal

        In what way is this relevant to OpenDNS? They actually do the same dirty trick aswell. Just because they have "open" in their name doesn't mean they're great and everyone should use them. They run their DNS servers to make profit from non-existing domains and hell, they even redirect requests to google.com to their own servers.

        Thankfully there are open dns servers that dont do such either, for example university in Gothenburg, Sweden: and and several others. Those that have the technical knowledge can also set up their own dns recursive dns servers on their linux box and use those directly (while it fetches the results from root servers)

        • Re:malware (Score:4, Insightful)

          by jtownatpunk.net ( 245670 ) on Thursday July 09, 2009 @04:21PM (#28641665)

          Yeah, it's exactly the same thing. Except opendns is very clear about what they're doing and any computer or network using opendns must explicity configure their system to use the opends servers. Heck, I'm looking at an opendns redirect right now. It's hard to miss the big opendns logo. And the "Why am I here?" link. And the "did you mean" links. Yeah. Exactly the same "dirty trick".

        • Re:malware (Score:5, Informative)

          by deraj123 ( 1225722 ) on Thursday July 09, 2009 @04:55PM (#28642097)

          Try looking at the entire service. So far as I have been able to tell, you can turn off every single one of their "features", giving you a simple, straightforward dns service.

          And for those replying to you confused about the google thing - they don't

          redirect requests to google.com to their own servers

          . What they do is provide a dns entry for www.google.com that points to their own servers. These servers proxy the real www.google.com to strip out some functionality that opendns found particularly offensive (I have not experienced the functionality, and can't say whether I agree or disagree with their views). However, like every other "feature" I've found at OpenDNS, you can turn this off. Yes, at first you couldn't. I stopped using OpenDNS for awhile. Now you can.

          • Re: (Score:3, Informative)

            by psyclone ( 187154 )

            Um, this concerns me quite a bit:

            These servers proxy the real www.google.com to strip out some functionality that opendns found particularly offensive...

            What? That doesn't make any sense. They only appear to proxy the first page, enough to capture what you type in the search box.

            Lets examine the evidence:

            $ dig @resolver1.opendns.com www.google.com A
            www.google.com. 30 IN CNAME google.navigation.opendns.com.
            google.navigation.opendns.com. 30 IN A
            google.navigation.opendns.com. 30 IN A

            $ whois
            OrgName: OpenDNS, LLC

            Now visit both:
            http://208.67.216. []

    • Re:malware (Score:5, Interesting)

      by Anonymous Coward on Thursday July 09, 2009 @03:46PM (#28641183)

      Just wanted to remind everybody that a few weeks ago, another slashdot article about comcast DNS hijacking appeared, and everybody wound up calling this specific blogger a liar.

      What if before introducing mass trials, they randomly selected MAC IDs and did this in specific locations? Perhaps that blogger actually did break news.

      But then, it wouldn't be the first time we trolled a legitimate story because its legitimacy was hard to validate at the time. :)

      Also, this discredits Comcast's massive twitter efforts as ComcastBonnie so kindly made a slashdot account after seeing the twitter output from the article, and told us that the engineers promised no form of DNS hijacking was underway. Underway or not, it was certainly being planned, and coverups should not be appreciated.

      Just my two cents

    • Re: (Score:3, Informative)

      by Tacvek ( 948259 )

      The real nasty issue with these services are that they are claimed to be helpful to users. The issue is that it is not helpful. Modern browsers already provide options to redirect NXDOMAIN's to a search engine, or other useful things.

      For example, Google chrome provides a nice page that says "DNS error - cannot find server" in the corner, and provides a helpful search box that is pre-filled with the words found in the domain name. (I have no idea what algorithm is being used to find the word breaks, but it s

  • Here We Go Again (Score:5, Informative)

    by eldavojohn ( 898314 ) * <eldavojohn AT gmail DOT com> on Thursday July 09, 2009 @02:41PM (#28640165) Journal

    Some may remember when VeriSign tried this back in 2003, where it also failed.

    Oh yeah, way back in the day. But let us not forget Earthlink's [slashdot.org] attempt at this [slashdot.org] or Canadian Rogers Cable [slashdot.org] or Charter [slashdot.org] or NJ Cabelvision [slashdot.org] or ... I'm sure you could find no end to this stream of providers offering their customers something the customers simply do not want.

    And I'm pretty certain most of those ended or resulted in customers bitching out the provider. Yet here we go again. Why? Well, that's simple: ad revenue.

    • Re:Here We Go Again (Score:5, Informative)

      by northernboy ( 661897 ) on Thursday July 09, 2009 @02:58PM (#28640447) Journal

      If I'm not mistaken (although I often am, sorry in advance) Cox has been doing this for months now, and nobody posted anything about that. If I 'typo' a URL at home, when connected via my (or my neighbor's) Cox cablemodem, I get a Verisign page indicating that www.whateveriswas.com is Under Construction.

      Is this not muchly the same thing??

      It pisses me off, but not enough to hunt down a better alternative.

      • Re:Here We Go Again (Score:5, Interesting)

        by raddan ( 519638 ) * on Thursday July 09, 2009 @03:41PM (#28641105)
        Sprint currently does this with their AirCard service. In fact, even if you try to query a specific DNS server, it hijacks your request and redirects your packets to its own. I discovered this after wondering WTF my DNS server was not operating correctly-- it turns it that my new DNS record had not propagated to Sprint's DNS. Since I run our company's DNS, this is a major PITA to me. Oh yeah, they appear to mess with DNS record TTLs as well.

        I'd gladly post examples but I'm at work and my AirCard is at home at the moment.

        I would gladly switch to another ISP, but I'm locked-in to a 2-year contract. Unless I can argue that their DNS hijacking violates the TOS, but I doubt it.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Rogers is still doing it.

    • by Lead Butthead ( 321013 ) on Thursday July 09, 2009 @03:03PM (#28640521) Journal

      When in doubt, keep trying. When rejected, keep trying. Enough people do this, it becomes the norm. Sad, but true.

    • Re: (Score:3, Informative)

      by jank1887 ( 815982 )

      I believe my Verizon DSL service does this. It can be disabled either by changing your computer DNS settings or modem settings depending on which modem you use.

      Verizon Support - Opting out of DNS assistance [verizon.net]

  • Sounds like time to pick some semi-standard alternate port number and start setting up some alternate recursive DNS servers, something between alt.* and TOR.

    • by 644bd346996 ( 1012333 ) on Thursday July 09, 2009 @02:52PM (#28640329)
      Why? It's not like Comcast is going to be intercepting all DNS traffic and routing it through their spammy DNS servers. Only the people who get their resolvers from DHCP (ie the people who don't know enough to care) will be affected.
      • It's not like Comcast is going to be intercepting all DNS traffic and routing it through their spammy DNS servers.

        Why not? As raddan posted above me, Sprint already did this with their aircard service. The huge majority of customers won't notice the difference since they don't know about alternative DNS servers.

  • Call it what it is (Score:5, Interesting)

    by wilsoniya ( 902930 ) on Thursday July 09, 2009 @02:46PM (#28640253)
    Didn't RTFA, but lets call a spade a spade--this is typosquatting [wikipedia.org]
    • by Zontar_Thing_From_Ve ( 949321 ) on Thursday July 09, 2009 @03:21PM (#28640803)
      This reminds me of a little known incident that happened in the mid 1990s. For a while, AT&T ran a service called 1-800-OPERATOR where you could call this number and get AT&T to connect you to a long distance call. For those who don't know, we're required (at least in most of the USA if not all of it) to pick a long distance service provider. That company does not have to be who you get local telephone service from. It was possible to place long distance calls with someone other than your long distance provider by simply dialing an access number that belonged to that company and you would get billed for the call from that company. So for example you might have, say, BellSouth as your long distance provider, but you could dial an access number and place calls on Sprint if Sprint offered a better rate. No need to change providers that way. So AT&T decided that it would be smart to get in on this too and lower their rates. So the way it worked was that you called 1-800-OPERATOR and someone at AT&T would connect you to your long distance call and charge you whatever rate AT&T had for the service. AT&T promoted this service on national television commercials and spent a lot of advertising money on it. Anyway, I had a friend at the time who worked for MCI in their marketing department. She told me that MCI had reserved the telephone number that corresponded to 1-800-OPERATER. MCI spent zero dollars advertising and simply waited for people who couldn't spell to call that number and they placed the call for the person and made the money off it. She told me "You would not believe how much money we made off this". Some months after the campaign started, AT&T quietly pulled the plug on it. I always assumed that too many people couldn't spell "operator" correctly and they were tired of giving business to MCI for nothing.
      • I love the whole idea of long distance calling. Send telephone signal to the house next door..oh that's free. Send it to the house across town? Oh thats 8 cents a minute. Send it to japan, oh that's 15 cents a minute.

        Send a voip signal over the internet to japan..oh that's free. See a little known fact that data is more expensive when sent by phone.

    • by typosquatting ( 1586073 ) on Thursday July 09, 2009 @03:36PM (#28641005) Homepage
      Totally agreed - it is absolutely typosquatting on a massive scale.

      Many people don't realize that there's TONS of traffic going to typo domains (whether registered or not). For instance, youtuve.com [youtuve.com] (notice the v instead of the b) got 358,751 visitors over the last 31 days. It redirects to another domain for cloaking purposes, but here is the traffic report [sedo.com]. This level of traffic provides the financial incentive to implement these DNS schemes.

      By the way, there's a new, free typosquatting [aliasencore.com] scan tool at aliasencore.com. It shows you all the registered .COM domain names that are one character misspellings of any Alexa top 100,000 site you enter. It also displays screenshots of those typosquatting sites. It's a nifty way to get a quick idea of the rampant growth of typosquatting. Here's an example that shows the 431 registered .COM domain names that are one character away from google.com [aliasencore.com].

      Full disclosure: I am Graham MacRobie, the CEO of Alias Encore, Inc. We help companies recover cybersquatting domain names, but we focus solely on "slam-dunk" typosquatting cases (obviously only registered domain names). I can speak from personal experience in this field that the very last thing we need is wholesale typosquatting at the DNS level.
  • by Itninja ( 937614 ) on Thursday July 09, 2009 @02:50PM (#28640305) Homepage
    Or is it Comcasted?
  • by GPLDAN ( 732269 ) on Thursday July 09, 2009 @02:53PM (#28640345)
    It was *MUCH* easier for me to sign up for basic TV + internet with Comcast than what I ended up doing. I wanted to keep everything at the magic $100/mo. number, so I went with AT&T - DirecTV partnership, where they give you DSL and a dish and DVR, and put it all on one bill. My DSL is 3Mb down/768kb up, where a Speakeasy test at my neighbor showed almost 12Mb down and nearly a full meg up. When he asked "why would you choose that?" - my answer was simple: Comcast.

    AT&T doesn't touch my bandwidth. They don't cap it, they don't filter it - they aren't keeping a database of my URL lookups. That's worth a great deal to me - and Comcast will never get my business. I urge everyone else to do the same, even if it is some other DSL provider or dish provider.
    • by plaiddragon ( 20154 ) on Thursday July 09, 2009 @03:02PM (#28640511)

      AT&T ... they aren't keeping a database of my URL lookups7.

      Until the NSA asks [eff.org] them to. Let's not pretend that AT&T isn't evil.

    • Re: (Score:2, Informative)

      by tekproxy2 ( 1386447 )
      AT&T Caps my bandwidth. They charged me an extra 20 dollars a few months ago for going over the limit. I buy their "ultra mega super elite" DSL service and upload an average of 40kb a second every second of every month. They sent me an e-mail notifying me about this wonderful little change to my AT&T e-mail address which no one fucking uses. I first saw the change on the bill. Thanks AT&T.
    • Re: (Score:3, Informative)

      I agree completely on not going with Comcast. I go with Qwest for my DSL.

      But you do know about the special rooms on the AT&T trunk lines that monitor all the traffic for the NSA, right?

      Not that me using Qwest stops my traffic from being monitored too, but at least I am not directly supporting AT&T (or Verizon) and their habit of handing over whatever information is asked without requiring a search warrant to back it up.

      Qwest refused to hand over data without a search warrant.
  • by nweaver ( 113078 ) on Thursday July 09, 2009 @02:53PM (#28640355) Homepage

    I don't want to name names, but Netalyzr [berkeley.edu] showed that several major ISPs already do this, and allows you to check for yourself what the behavior is on your network.

    Comcast is following the lead of other major ISPs which have been doing this for some time now.

  • Problems with this (Score:4, Interesting)

    by DigitAl56K ( 805623 ) on Thursday July 09, 2009 @02:58PM (#28640437)

    I speak from the perspective of being a RoadRunner user rather than a Comcast user, but RR implements a similar service. They have a link in the lower right of their results page where you can click to set your preferences and disable the "feature". Except just the other week that preference broke for me, and I was stuck with DNS hijacking. I phoned their customer service line, the person on the other end of the line had absolutely no idea what I was talking about.

    DNS hijacking is a bit like Phorm without profiling really. Well, assuming there is no profiling. If there was profiling they'd make more money from the ads they'll inevitably insert there to "support" the service (Edit: oh look, they already have!). Personally I put this issue, along with Phorm in a whole category of problems related to the fact that we still don't secure and authenticate most of our activities on the internet (http, dns, yadayada). ISPs can do what they like and it's hard to stop them. Third-party DNS services seem to be the way to go recently. Of course without security/authentication your ISP can put a stop to that quite easily too.

    This is all before you get in to the technical details of clients that may implement specific behavior for when bad DNS queries are expected to fail but don't.

  • by Sheafification ( 1205046 ) on Thursday July 09, 2009 @03:04PM (#28640535)
    I noticed the summary mentioned several attempts that have failed, but makes no mention of other ISPs that are still doing it. Time Warner Cable is one that has been doing this for a while now (maybe a year?). Anyone know of others?
    • I think Windstream does since I've noticed it at friends houses. But at home I run a caching-only DNS server, so I never notice it...

    • I was going to same the same thing. I'm pretty sure my Road Runner from TWC does this already. Of course, with bookmarks, the search box and address completion, I rarely type the wrong URL anymore.
    • by mystik ( 38627 )

      Cox does it too, iirc. I've seen it @ places where I've help setup computers. I had been running my own dnscacher that directly hit the root servers, but when I learned about Cox doing it, I discovered they have a pair of DNS servers that *don't* exhibit this behavior and changed my resolver to hit those (to be net friendly). I'd switch it back to the roots in a heartbeat if they started being stupid about it again.

  • Why exactly does the ISP control DNS?
    Given the shenanigans the ISPs and governmental authorities have been up to the last few years, I say we need to rethink TCP. You see, we've been assuming all along that ISPs are not malicious. We need to start assuming they are malicious. The new TCP protocol should only assume that all socket level data is sensitive and therefore must be encrypted as to both its contents AND its destination. This implies traffic shaping, onion routing and a public key based DNS
  • by FranTaylor ( 164577 ) on Thursday July 09, 2009 @03:13PM (#28640683)

    This is all done under the assumption that the DNS query is for an HTTP request.

    What happens when other services run afoul of this setup?

    For example: Is my POP client going to hand my login credentials to a Comcast server, if my email service's DNS does not resolve for some reason?

    • Re: (Score:3, Funny)

      by mdm-adph ( 1030332 )

      Forgive me for my lack of knowledge in this area, but isn't there some sort of encryption involved with that? Wouldn't you verify that the server you've reached is actually the server you wanted before you hand over credientials?

    • Re: (Score:3, Informative)

      by blueg3 ( 192743 )

      That depends. If you have server authentication, it won't. More importantly, if the Comcast server doesn't listen on any port but 80, it certainly won't.

      If you were relying on correct DNS responses to provide security (such as preventing your login credentials from being given away), you were doing it wrong in the first place.

  • Cablevision already does this in the Northeast US. :(

  • How exactly does a customer "retaliate", other than canceling their service, which is grossly impractical, given that, for example, in Boston, one only has 1-2 choices in cost-effective, high-speed internet access? Verizon services almost all suburban areas in MA with FiOS, but not anywhere in Boston, Cambridge, etc....so your choices are shitty DSL for $$$, or Comcast.
  • These never [krytosvirus.com] get old [krytosvirus.com]

  • Just go to the site below and opt-out :) https://dns-opt-out.comcast.net/ [comcast.net]
  • DNS redirection allows an ISP to quickly block infected PCs from participating in distributed attacks that rely on DNS.

  • But then I noticed that OpenDNS also does DNS redirection!
    The scary thing was, that of course this even works when I mistype Intranet addresses. (Should have been obvious to me, but I did not think about having switched to OpenDNS when this happened, and got very scared about the possibility of a MITM attack.)

  • The headline should read:

    "Comcast Colludes With Yahoo! to Redirect Miss-typed URL Traffic for their own Profit"

  • it can fail badly (Score:5, Interesting)

    by RichMan ( 8097 ) on Thursday July 09, 2009 @03:22PM (#28640821)

    My ISP did it for a while. The problem was that it was badly implemented and increased to load on the upstream DNS services.

    So if the middle layer DNS cache was empty and I asked for
        mybank.com the bottom level DNS timed out and it failed over to the advertising page.

    Think of searching on coke.com or any real address then the system failing and redirecting you to pepsi.com.

    Think of the lawsuits. Think of the denial of service attacks possible
          a) register not_mybank.com, have spoof of mybank.com page ready to launch
          b) pay to have a fail on mybank.com route to not_mybank.com
          c) denial of service attack to root servers for mybank.com, flip in your spoof page
          d) have the ISP's magically send people to your spoof site from their saved URL's and collect passwords

    Yeah this is a good idea.

  • It's not that this is a really big deal for me. It's just the straw that broke the camel's back. I've had all sorts of trouble with Comcast of late, and this just pushed me over the edge. I've been very, very close ever since they started blocking outbound SMTP connections (yeah, I can and do use the SMTP submission port for sending e-mail, but how am I supposed to monitor my remote SMTP servers from home?).

  • Not the same at all. (Score:5, Interesting)

    by John Hasler ( 414242 ) on Thursday July 09, 2009 @03:28PM (#28640871) Homepage

    > Some may remember when VeriSign tried this back in 2003, where it also failed.

    Not the same at all. VeriSign tried to do it with the TLD servers, which nobody can avoid. These guys are just doing it with their own servers, which you can bypass unless they block you. Even if they do you can, at least in theory, switch ISPs. They aren't likely to bother with blocking, though, because the number of people who will bypass is tiny.

  • What about non-HTTP? (Score:5, Interesting)

    by slushdork ( 566514 ) on Thursday July 09, 2009 @03:30PM (#28640915)
    I'm a Comcast "customer" in an affected "market" (Colorado). How will this affect DNS resolution requests for non-HTTP purposes? There is no way for the Comcast DNS servers to know what a DNS name resolution request is for: it could be for HTTP, or it could be for SSH, FTP, etc. So if I mis-type an FQDN hostname in an SSH command, will the DNS resolution request now suceed? Previously SSH would fail with a "cannot resolve hostname" error or something similar. Will it now try to connect with SSH to the Comcast "domain helper" servers? What about its effects on local DNS caching servers (e.g. dnsmasq)?

    Also, this statement from Comcast's blog is blatantly false:

    Despite the fact that web addresses are easier to remember than their IP address counterparts, sometimes you mistype an address. Let's say you type in http://www.comtcas.com/ [comtcas.com] (instead of http://www.comcast.com./ [www.comcast.com] Normally you then sit and wait for the Web browser to time out, then you receive an error message that the site does not exist, and then you have to retype the correct address.

    Normally you would *never* "sit and wait for the Web browser to time out" (well, these *are* Comcast's DNS servers after all, so in this specific case it might be true). Normally, your browser would get a DNS resolution failure and show you a built-in error page instantaneously. Now, on the other hand, you have to wait until your browser goes off and loads a page of Comcast ads.

    Domain Helper my a$$!

  • Oblig. (Score:4, Funny)

    by blackfrancis75 ( 911664 ) on Thursday July 09, 2009 @03:32PM (#28640935)
    I've been a Comcast customer for HERBAL VIAGRA several years and have never had an issue with unsolicited REAL WEIGHT LOSS advertising of any kind.
  • Seems like a simple enough solution, geeks like us should help friends, neighbors, relatives, and anyone else we encounter to opt-out of this nonsense. If enough people opt-out of this then DNS redirection could theoretically become unprofitable enough that they would ditch it!

    Grass-roots spreading the word has worked well for Firefox, so why not this?

  • by Skapare ( 16644 ) on Thursday July 09, 2009 @04:39PM (#28641881) Homepage

    ... in addition to their modem MAC based opt-out mechanism, they:

    1. Provide alternative DNS cache servers that users can manually configure to bypass the redirection DNS cache servers. Support for this service can be limited to only informing the customer of the IP addresses of these DNS cache servers, such as on the tech support web page that tells customers how to opt-out. They do NOT have to support users on how to deploy this type of change.
    2. Do NOT interfere with DNS queries sent to other DNS servers, whether with or without the recurse flag in the request. This is so that a user can run their own DNS cache server either on an internal network, or access a DNS cache server elsewhere on the internet (their own remote server, or a DNS caching/resolving service), without the need to set up a secure tunnel.
    3. Do NOT interfere with any form of secure tunnel or other VLAN.
    4. Do NOT intercept any UDP traffic, or TCP connections, or SCTP sessions, unless those are directed specifically to the provider's servers or services. For example the provider may offer HTTP caching services, media stream multipliers, IRC servers, etc., but must not affect users that want to bypass those services. ONE EXCEPTION: connections made to port 25 outside the provider's network SHOULD be intercepted unless the customer makes a "knowledgeable opt-out request" (for example, mentions "SMTP").
    5. Do NOT do any other evil activity I don't have time to think about right now.

    Anyone that knows what they are doing, or finds out via information from some source (the provider not being obligated to supply this information), should be able to use the internet exactly as it was originally intended.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling